Title: [198902] trunk/Source/_javascript_Core
- Revision
- 198902
- Author
- [email protected]
- Date
- 2016-03-31 11:28:48 -0700 (Thu, 31 Mar 2016)
Log Message
DFG JIT bug in typeof constant folding where the input to typeof is an object or function
https://bugs.webkit.org/show_bug.cgi?id=156034
<rdar://problem/25446785>
Reviewed by Ryosuke Niwa.
AI would constant fold TypeOf to the string "object" if it saw that
its input type didn't expand past the types contained in the set
"SpecObject - SpecObjectOther". But, SpecObject contains SpecFunction.
And typeof of a function should return "function". This patch fixes
this bug by making sure we constant fold to object iff the type
doesn't expand past the set "SpecObject - SpecObjectOther - SpecFunction".
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* tests/stress/typeof-dfg-function-or-object.js: Added.
(assert):
(foo.else.o):
(foo):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (198901 => 198902)
--- trunk/Source/_javascript_Core/ChangeLog 2016-03-31 18:24:24 UTC (rev 198901)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-03-31 18:28:48 UTC (rev 198902)
@@ -1,3 +1,25 @@
+2016-03-31 Saam barati <[email protected]>
+
+ DFG JIT bug in typeof constant folding where the input to typeof is an object or function
+ https://bugs.webkit.org/show_bug.cgi?id=156034
+ <rdar://problem/25446785>
+
+ Reviewed by Ryosuke Niwa.
+
+ AI would constant fold TypeOf to the string "object" if it saw that
+ its input type didn't expand past the types contained in the set
+ "SpecObject - SpecObjectOther". But, SpecObject contains SpecFunction.
+ And typeof of a function should return "function". This patch fixes
+ this bug by making sure we constant fold to object iff the type
+ doesn't expand past the set "SpecObject - SpecObjectOther - SpecFunction".
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * tests/stress/typeof-dfg-function-or-object.js: Added.
+ (assert):
+ (foo.else.o):
+ (foo):
+
2016-03-31 Mark Lam <[email protected]>
Gardening: Build and logic fix after r198873.
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (198901 => 198902)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2016-03-31 18:24:24 UTC (rev 198901)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2016-03-31 18:28:48 UTC (rev 198902)
@@ -1170,7 +1170,7 @@
// FIXME: We could use the masquerades-as-undefined watchpoint here.
// https://bugs.webkit.org/show_bug.cgi?id=144456
- if (!(abstractChild.m_type & ~(SpecObject - SpecObjectOther))) {
+ if (!(abstractChild.m_type & ~(SpecObject - SpecObjectOther - SpecFunction))) {
setConstant(node, *m_graph.freeze(vm->smallStrings.objectString()));
break;
}
Added: trunk/Source/_javascript_Core/tests/stress/typeof-dfg-function-or-object.js (0 => 198902)
--- trunk/Source/_javascript_Core/tests/stress/typeof-dfg-function-or-object.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/typeof-dfg-function-or-object.js 2016-03-31 18:28:48 UTC (rev 198902)
@@ -0,0 +1,25 @@
+function assert(b) {
+ if (!b) {
+ throw new Error("Bad")
+ }
+}
+
+function foo(arg) {
+ let o;
+ if (arg) {
+ o = {};
+ } else {
+ o = function() { }
+ }
+ return typeof o;
+}
+noInline(foo);
+
+for (let i = 0; i < 10000; i++) {
+ let bool = !!(i % 2);
+ let result = foo(bool);
+ if (bool)
+ assert(result === "object");
+ else
+ assert(result === "function");
+}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
